Auditor General flags government’s new support jamaica hurricane melissa online donation platform

The Government’s new platform for hurricane Melissa monetary donations, Support Jamaica, has been flagged by the Auditor General for having some weaknesses in its information security framework, among other things.

The issues were highlighted in a report tabled in parliament, yesterday.

The website serves as a single point for the collection and management of financial and in-kind donations, volunteer registration and coordination, emergency reporting, and engagement with local and international stakeholders.

The AG said the audit of hurricane Melissa relief was undertaken to determine whether activities were executed with due regard to transparency and accountability.

The report focused on the hurricane Melissa relief website, SupportJamaica.gov.jm, with particular emphasis on the adequacy of access management and data privacy controls.

The AG said a review identified significant weaknesses in the Office of Disaster Preparedness and Emergency Management, ODPEM’s, information security governance framework, which impacted the access controls over the support Jamaica website.

It was found that ODPEM did not have formally approved information security or access control policies and procedures to govern the assignment, management and monitoring of user rights across its information systems.

In the absence of an established access policy, ODPEM operated without an enforceable standard for the provisioning, modification and de-provisioning of user accounts on the support Jamaica-administrative dashboard.

Consequently, ODPEM was exposed to an elevated risk of inappropriate or unauthorized access, inconsistent security practices, and weakened overall control of its information systems.

The AG has recommended that in order to strengthen governance, accountability, and statutory compliance, ODPEM must complete registration as a data controller with the Office of the Information Commissioner and formally appoint a Data Protection Officer, as required by the data protection act.